3 minute read
Figure 3: User deregistration process
4 User deregistration
When an employee or contractor leaves the organization, it is vital that access controls are updated promptly to avoid a situation where an unauthorised person retains access to our systems. This will be achieved using the process below:
Figure 3: User deregistration process
4.1 Deregistration request
It is the responsibility of users and their managers to inform the [IT Service Desk] in a timely manner when employees leave the organization and so no longer need access to IT systems. As much
advance notice as possible should be given. In those circumstances where an employee has been involuntarily terminated at short notice the [IT Service Desk] must be informed by telephone immediately.
4.2 Assess urgency
The [IT Service Desk] will assess the urgency of the deregistration request based on the information provided and will decide whether to disable the user account straight away or to wait until the user leaves the organization. In general, for unfriendly terminations deregistration will be completed immediately whereas for voluntary resignations it will be done on the day the person leaves.
4.3 Disable user account
For most systems, the [IT Service Desk] will take the initial step of disabling the user account rather than deleting it. This will prevent access by the user but will retain all the information associated with the account and its data.
At a later date and with the system owner’s permission, the account may be deleted once any outstanding issues have been resolved. All user accounts associated with the user in question should be disabled even if Single Sign On (SSO) is in place e.g. if the user is in Finance, access to Active Directory and the Finance system (and any other systems the user has an account on) should be disabled. This is necessary to prevent the account being used by someone who still has access to the network in future. Accounts should be disabled in order of importance e.g. the Finance system before email.
4.4 Retrieve authentication token
If the deregistered user has a hardware authentication token this should be retrieved as part of the termination process and returned to the [IT Service Desk].
4.5 Inactive accounts
If a user account is inactive for a period of 90 days or more, the account will be disabled as per the deregistration process immediately.
5 Management of privileged access rights
Privileged access rights are those that involve a higher level of system access than a typical user. This includes “root” or “domain administrator” access and various types of supervisory access within application systems and databases. The process for managing privileged access rights is basically the same as for other types of user but the approval and review aspects should be treated much more rigorously. The number of people with such rights should be carefully controlled and rights should be removed as soon as they are no longer required. The following factors should be considered by the system owner as part of the approval criteria for such requests: • Why does the user need privileged access rights? • Is there an alternative way to achieve the desired end result without granting privileged access rights? • Does the user have the necessary training and expertise to avoid mistakes when using the privileged access rights? • How long are the rights needed for? • Is a documented agreement such as a Non-Disclosure Agreement required (e.g. for third parties)? A user who requires privileged access rights such as domain admin should request that a separate user account be created with these rights (e.g. john smith admin). Under no circumstances should the password for the default admin user account be issued. If the need for access is temporary, an expiry date should be set on the user account when it is created. When creating such accounts, it should be emphasised to the user that they are only for use when a higher level of permissions is needed and their normal, lower access level account should be used most of the time.
The need for accounts to hold privileged access rights will be reviewed according to the standard review process but may be performed on a more frequent basis depending on the sensitivity of the system(s) involved.